User:Shawndouglas/sandbox/sublevel4

From LIMSWiki
Jump to navigationJump to search

Title: HIPAA Compliance: An Introduction

Author for citation: Alan Vaughan, with editorial modifications by Shawn Douglas

License for content: Creative Commons Attribution-ShareAlike 4.0 International

Publication date: June 2016

Introduction

Reason and scope

Leiden University Library, Group Study Room.jpg

In the U.S. healthcare industry, there are two main regulatory laws: the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Information Portability and Accountability Act of 1996 (HIPAA). The first is aimed at clinical laboratories and the second applies to the vast majority of healthcare settings. This training guide is aimed at providing some accurate and useful training to those required to comply with HIPAA. Indeed, HIPAA training is mandated in the law itself, particularly by the United States Department of Health and Human Services (HHS), which summarizes that responsibility as such:

Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the [covered] entity (whether or not they are paid by the entity). A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.[1]

Anyone involved in healthcare has probably already realized that while their own entity's policies and procedures may well be in compliance, there is still a great deal of misunderstanding out there regarding HIPAA, as well as a general lack of knowledge of it beyond those measures that are in place where they happen to work. And it is also a matter of concern that industry professionals have encountered an alarming number of courses and guides purporting to provide an acceptable level of training, yet they prove to be significantly lacking in scope, clarity and in some cases accuracy.

This training guide is designed to provide a substantive, reasonably comprehensive understanding of all of the aspects of HIPAA that have bearing on most healthcare industry professionals. It is based almost completely on first-hand materials from the HHS (which the law charges with administration of HIPAA) and the actual Health Information and Portability Act of 1996 (HIPAA) law itself, rather than relying on secondary and tertiary interpretations and paraphrasing. However, these resources do not and cannot provide every detail for all scenarios. As such, several third-party sources were taken into account to gather and present the fullest comprehension of the materials and their relevance for the covered entities HIPAA affects.

Goals of this guide

The primary aim of this training guide is to supplement the requirement for HIPAA training as described above. Whether used to fulfill that directive, or as source for your own research, it is designed to provide the most comprehensive, clear and accurate general familiarity with HIPAA possible as it relates to those attempting to be compliant.

What is HIPAA?

HIPAA Screenshot.png

The healthcare industry must comply with both CLIA and HIPAA. CLIA regulatory standards apply to all clinical laboratory testing performed on humans in the United States, except clinical trials and basic research.[2] While important, this guide focuses on HIPAA, which was enacted by the United States Congress and signed into law in 1996.[3]

Whereas CLIA involves standards in clinical testing, HIPAA is concerned with rigorously and effectively protecting patients’ personal information. It applies to most any entity that handles a patient's personal information, including contractors and other business associates.

Privacy and security

There are two main areas of HIPAA regulations and standards: privacy and security. Both apply to all covered entities and are related, but have slightly different emphases.

  • HIPAA privacy (the Privacy Rule): This concentrates on the patient's right to privacy regarding their personal information and health records, and what covered entities must do to support that. It also includes their right to access those data.
  • HIPAA security (the Security Rule): This portion of HIPAA focuses on the requirements for covered entities to protect patient data, including administrative, physical and technical ways and means.

Government oversight

When laws are made, the responsibility to make affected parties aware of their obligations and how to meet them—and to monitor, enforce and punish offenders—is often allocated to a particular body. In the case of HIPAA, the HHS is that body. Within the HHS, the Office for Civil Rights (OCR) ensures equal access to certain health and human services and protects the privacy and security of health information. Additionally, the Centers for Disease Control and Prevention (CDC) and other HHS agencies provide additional guidance and materials.

Further information about HIPAA and its history, etc. can be found on the LIMSwiki Health Insurance Portability and Accountability Act page.

References

  1. Office for Civil Rights (26 July 2013). "Summary of the HIPAA Privacy Rule". United States Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. Retrieved 09 February 2022. 
  2. "Code of Federal Regulations Title 42, Chapter IV, Subchapter G, Part 493". U.S. Government Publishing Office. https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-G/part-493. Retrieved 09 February 2022. 
  3. "Public Law 104 - 191 - Health Insurance Portability And Accountability Act of 1996". GovInfo. U.S. Government Publishing Office. 21 August 1996. https://www.govinfo.gov/app/details/PLAW-104publ191. Retrieved 09 February 2022.